A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

Base de datos completa

Featured actors

Dive into the profiles of threat actors involved in cloud security incidents, shedding light on their motivations and tooling, to aid in risk assessment and threat modeling.

Dreambus botnet icon

Dreambus botnet

The Dreambus botnet is adept at exploiting weaknesses in various Internet-facing applications, including PostgreSQL, Hadoop, Redis, and other popular software. The operators behind this activity appear to be financially motivated, as infections result in cryptojacking.
LAPSUS$ icon

LAPSUS$

LAPSUS$ were notorious extortionists that managed to gain access to multiple large organizations throughout 2022 via social engineering and SIM swapping, and in some cases moved laterally into their targets’ cloud environments.
TeamTNT icon

TeamTNT

TeamTNT is a financially motivated threat actor known for targeting misconfigured containers for cryptojacking. They have also been observed enumerating cloud environments and compromising their victim's credentials for various cloud services.

Featured techniques

An overview of attack techniques used by threat actors in cloud security incidents, aligned with the MITRE ATT&CK matrix framework for additional context.

SSH (Secure Socket Shell) is commonly utilized as a remote access method for Linux servers. If an local user is misconfigured to use an empty or weak password, it could be compromised by threat actors performing a brute-force or password spraying attack against an organization’s IP range. To mitigate against this technique, local users should use strong passwords, and firewall rules should be configured to prevent public exposure of the server, limiting access to trusted IP ranges (such as the organization’s own IP range or a VPN).

Ver la lista completa

Incidentes destacados

Una colección histórica de campañas e incidentes de seguridad en la nube pasados, que ofrece información sobre los patrones de segmentación, los métodos de acceso inicial y el impacto efectivo.

Double supply chain attack (April 2023)

In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX themselves were infected via a supply chain attack on another company called Trading Technologies that occurred in November 2021.

PyLoose cryptomining campaign

In mid-2023, an unknown financially-motivated threat actor began targeting publicly exposed Jupyter Notebook instances to hijack them for running cryptomining operations. The threat actor deployed a fileless Python tool (dubbed “PyLoose”) that loaded an XMRig miner directly into memory.

From Docker image to cloud breach (April 2021)

On April 2021, Codecov was compromised by an unknown threat actor who abused their access to the company's cloud environment to conduct a supply chain attack. The threat actor gained initial access to Codecov's GCP environment by extracting an HMAC key for a service account from a public Docker image created by Codecov. The attacker then used this key to modify the version of Codecov Bash Uploader stored in Google Cloud Storage and available to download for end-users, inserting a malicious payload to be executed in customer environments. Multiple Codecov customers are known to have been impacted by this supply chain attack, with the threat actor managing to exfiltrate data from their environments.

FAQ

The Cloud Threat Landscape is a curated public instance of Wiz Research’s internal cloud threat intelligence database, summarizing information about publicly disclosed cloud security incidents and campaigns. Additionally, the database lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.

Llorando en la nubeEl Boletín

Regístrate para recibir las últimas actualizaciones en seguridad en la nube directamente a tu bandeja de entrada

Para obtener información sobre el modo en que Wiz gestiona sus datos personales, consulte nuestra Política de privacidad.

Investigación de clase mundial sobre ataques en la nube

Incidents documented

0

Actors profiled

0

Technologies targeted

0

Techniques explained

0